%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  Copyright by Wenliang Du.                                       %%
%%  This work is licensed under the Creative Commons                %%
%%  Attribution-NonCommercial-ShareAlike 4.0 International License. %%
%%  To view a copy of this license, visit                           %%
%%  http://creativecommons.org/licenses/by-nc-sa/4.0/.              %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\newcommand{\commonfolder}{../../common-files}
\newcommand{\webcommon}{../Web_Common}

\input{\commonfolder/header}
\input{\commonfolder/copyright}


\newcommand{\bash}{{\tt bash}\xspace}
\newcommand{\Bash}{{\tt Bash}\xspace}

\lhead{\bfseries SEED Labs -- Shellshock Attack Lab}

\begin{document}

\begin{center}
{\LARGE Shellshock Attack Lab}
\end{center}

\seedlabcopyright{2006 - 2016}

\section{Overview}

On September 24, 2014, a severe vulnerability in bash was identified.
Nicknamed Shellshock, this vulnerability can exploit many systems and be
launched either remotely or from a local machine.  In this
lab, students need to work on this attack, so they can understand the
Shellshock vulnerability. The learning objective of this lab is for students to get a
first-hand experience on this interesting attack, understand how it
works, and think about the lessons that we can get out of this
attack. The first version of this lab was developed on September 29, 2014, 
just five days after the attack was reported. It was assigned to the students 
in our Computer Security class on September 30, 2014. An important mission
of the SEED project is to quickly turn real attacks 
into educational materials, so instructors can bring them into their
classrooms in a timely manner and keep their students engaged with what
happens in the real world. This lab covers the following topics:

\begin{itemize}[noitemsep]
\item Shellshock
\item Environment variables 
\item Function definition in bash
\item Apache and CGI programs
\end{itemize}


\paragraph{Readings and videos.}
Detailed coverage of the Shellshock attack can be found in the following:

\begin{itemize}
\item Chapter 3 of the SEED Book, \seedbook
\item Section 3 of the SEED Lecture at Udemy, \seedcsvideo
\end{itemize}


\paragraph{Lab environment.} \seedenvironmentB \nodependency



% *******************************************
% SECTION
% *******************************************
\section{Environment Setup} 



% -------------------------------------------
% SUBSECTION
% -------------------------------------------
\subsection{DNS Setting}

In our setup, the web server container's IP address is
\texttt{10.9.0.5}. The hostname of the server is called
\texttt{www.seed-server.com}. We need to map
this name to the IP address. Please add the following
to \texttt{/etc/hosts}. You need to use the root privilege
to modify this file: 

\begin{lstlisting}
10.9.0.5       www.seed-server.com
\end{lstlisting}
 


% -------------------------------------------
% SUBSECTION
% -------------------------------------------
\subsection{Container Setup and Commands}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\input{\commonfolder/container/setup}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


% -------------------------------------------
% SUBSECTION
% -------------------------------------------
\subsection{Web Server and CGI}

In this lab, we will launch a Shellshock attack on the web server container. 
Many web servers enable CGI, which is a standard method used to generate
dynamic content on web pages and for web applications. Many CGI programs are
shell scripts, so before the actual CGI program runs,
a shell program will be invoked first, and such an invocation is
triggered by users from remote computers. If the shell program is
a vulnerable bash program, we can exploit the Shellshock vulnerable to
gain privileges on the server.


In our web server container, we have already set up a very simple CGI
program (called \texttt{vul.cgi}). 
It simply prints out {\tt "Hello World"} using a shell script.
The CGI program is put inside Apache's default CGI folder \texttt{/usr/lib/cgi-bin},
and it must be executable. 

\begin{lstlisting}[caption=\texttt{vul.cgi}] 
(*@\textbf{\#!/bin/bash\_shellshock}@*)          

echo "Content-type: text/plain"
echo
echo
echo "Hello World"
\end{lstlisting}

The CGI program uses \texttt{/bin/bash\_shellshock} (the first line),
instead of using \texttt{/bin/bash}. This line specifies
what shell program should be invoked to run the script. We do need to use
the vulnerable bash in this lab.


To access the CGI program from the Web, we can either use a browser by
typing the following URL: \url{http://www.seed-server.com/cgi-bin/vul.cgi}, 
or use the following command line program {\tt curl} to do the same thing. Please 
make sure that the web server container is running.

\begin{lstlisting}
$ curl http://www.seed-server.com/cgi-bin/vul.cgi
\end{lstlisting}


% *******************************************
% SECTION
% ******************************************* 
\section{Lab Tasks}

Detailed guidelines on the Shellshock attack can be found in the SEED book, so we will not 
repeat the guidelines in the lab description. 

% -------------------------------------------
% SUBSECTION
% ------------------------------------------- 
\subsection{Task 1: Experimenting with Bash Function}


The bash program in Ubuntu 20.04 has already been patched, so it is no
longer vulnerable to the Shellshock attack. For the purpose of this lab, we
have installed a vulnerable version of bash inside the container (inside \texttt{/bin}). 
The program can also be found in the \texttt{Labsetup} folder (inside \texttt{image\_www}). 
Its name is \texttt{bash\_shellshock}. We need to use 
this bash in our task. You can run this shell program either in the 
container or directly on your computer. 
The container manual is linked to the lab's website. 

Please design an experiment to verify whether this bash is
vulnerable to the Shellshock attack or not. 
Conduct the same experiment on the patched version 
\texttt{/bin/bash} and report your observations.


% -------------------------------------------
% SUBSECTION
% ------------------------------------------- 
\subsection{Task 2: Passing Data to Bash via Environment Variable}


To exploit a Shellshock vulnerability in a bash-based CGI program, attackers need to 
pass their data to the vulnerable bash program, and the data need to be
passed via an environment variable. In this task, we need to see how we can
achieve this goal. We have provided another CGI program (\texttt{getenv.cgi}) on the 
server to help you identify what user data can get into the environment
variables of a CGI program. This CGI program prints out all
its environment variables. 


\begin{lstlisting}[caption=\texttt{getenv.cgi}]
#!/bin/bash_shellshock             

echo "Content-type: text/plain"
echo
echo "****** Environment Variables ******"
strings /proc/$$/environ            (*@\ding{192}@*)
\end{lstlisting}

\paragraph{Task 2.A: Using brower.}
In the code above, Line \ding{192} prints out the contents of all the
environment variables in the current process. Normally, you would see something 
like the following if you use a browser to access the CGI program. Please 
identify which environment variable(s)' values are set by the browser.
You can turn on the HTTP Header Live extension on your browser to 
capture the HTTP request, and compare the request with the 
environment variables printed out by the server. Please include your 
investigation results in the lab report.

\begin{lstlisting}
****** Environment Variables ******
HTTP_HOST=www.seed-server.com
HTTP_USER_AGENT=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) ...
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9, ...
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5
HTTP_ACCEPT_ENCODING=gzip, deflate
...
\end{lstlisting}

 
\paragraph{Task 2.A: Using \texttt{curl}}
If we want to set the environment variable data to arbitrary values,
we will have to modify the behavior of the browser, that will be too complicated. 
Fortunately, there is a command-line tool called \texttt{curl}, which allows 
users to to control most of fields in an HTTP request. Here are some 
of the userful options: (1) the \texttt{-v} field can print out the header 
of the HTTP request; (2) the \texttt{-A}, \texttt{-e}, and 
\texttt{-H} options can set some fields in the header request, and
you need to figure out what fields are set by each of them. 
Please include your findings in the lab report. 
Here are the examples on how to use these fields:
 

\begin{lstlisting}
$ curl -v www.seed-server.com/cgi-bin/getenv.cgi
$ curl -A "my data" -v www.seed-server.com/cgi-bin/getenv.cgi
$ curl -e "my data" -v www.seed-server.com/cgi-bin/getenv.cgi
$ curl -H "AAAAAA: BBBBBB" -v www.seed-server.com/cgi-bin/getenv.cgi
\end{lstlisting}
 
Based on this experiment, please describe what options of \texttt{curl} 
can be used to inject data into the environment variables of 
the target CGI program. 


% -------------------------------------------
% SUBSECTION
% ------------------------------------------- 
\subsection{Task 3: Launching the Shellshock Attack}

We can now launch the Shellshock attack. 
The attack does not depend on what is in the CGI program, as it targets
the bash program, which is invoked before the actual CGI script is
executed. Your job is to launch the attack through the URL
\url{http://www.seed-server.com/cgi-bin/vul.cgi}, so you can
get the server to run an arbitrary command. 


If your command has a plain-text output, and you want the output returned to you,
your output needs to follow a protocol: it should start with 
\texttt{Content\_type: text/plain}, followed by an empty line, and then
you can place your plain-text output. For example, if you want the
server to return a list of files in its folder, your command  
will look like the following: 

\begin{lstlisting}
echo Content-type: text/plain; echo; /bin/ls -l
\end{lstlisting}
 

In this task, please use three different approaches (i.e., three different HTTP header fields)
to launch the Shellshock attack against the target CGI program. You need to achieve 
the following objectives. For each objective, you only need to use one approach,
but in total, you need to use three different approaches. 

\begin{itemize}
\item Task 3.A: Get the server to send back the content of the \texttt{/etc/passwd} file. 

\item Task 3.B: Get the server to tell you its process' user ID. You can use 
the \texttt{/bin/id} command to print out the ID information. 

\item Task 3.C: Get the server to create a file inside the \texttt{/tmp} folder. You need to 
get into the container to see whether the file is created or not, or use 
another Shellshock attack to list the \texttt{/tmp} folder.

\item Task 3.D: Get the server to delete the file that you just created 
inside the \texttt{/tmp} folder. 
\end{itemize} 


\paragraph{Questions.} Please answer the following questions:
\begin{itemize}
\item Question 1: Will you be able to steal the content of 
the shadow file \texttt{/etc/shadow} from the server? Why or why not?  
The information obtained in Task 3.B should give you a clue. 

\item Question 2: HTTP GET requests typically attach data in the URL, 
after the \texttt{?} mark. This could be another 
approach that we can use to launch the attack. In the following example,
we attach some data in the URL, and we found that the data are used to set
the following environment variable: 

\begin{lstlisting}
$ curl "http://www.seed-server.com/cgi-bin/getenv.cgi?AAAAA"
...
QUERY_STRING=AAAAA
...
\end{lstlisting}

Can we use this method to launch the Shellshock attack? Please conduct your 
experiment and derive your conclusions based on your experiment results. 
     
\end{itemize}

  


% -------------------------------------------
% SUBSECTION
% ------------------------------------------- 
\subsection{Task 4: Getting a Reverse Shell via Shellshock Attack}

The Shellshock vulnerability allows attacks to run arbitrary commands on
the target machine. In real attacks, instead of hard-coding the command 
in the attack, attackers often choose to run a shell
command, so they can use this shell to run other commands,
for as long as the shell program is alive. 
To achieve this goal, attackers need to run a reverse shell.

Reverse shell is a shell process started on a machine, with its input and output being
controlled by somebody from a remote computer. Basically, the shell runs
on the victim's machine, but it takes input from the attacker machine and
also prints its output on the attacker's machine. Reverse shell
gives attackers a convenient way to run commands on a compromised machine. 
Detailed explanation of how to create a reverse shell can be found in 
the SEED book. We also summarize the explanation in
Section~\ref{shellshock:sec:reverseshell}.
In this task, you need to demonstrate 
how you can get a reverse shell from the victim using the Shellshock attack. 


% -------------------------------------------
% SUBSECTION
% ------------------------------------------- 
\subsection{Task 5: Using the Patched Bash}

Now, let us use a bash program that has already been patched.
The program \texttt{/bin/bash} is a patched version.
Please replace the first line of 
the CGI programs with this program. 
Redo Task 3 and describe your observations. 


% *******************************************
% SECTION
% ******************************************* 
\section{Guidelines: Creating Reverse Shell}
\label{shellshock:sec:reverseshell}


\input{\commonfolder/guidelines/reverse_shell}





% *******************************************
% SECTION
% ******************************************* 
\section{Submission}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\input{\commonfolder/submission}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


\end{document}

